Port Forwarding - Remote seems to be in LAN

[paladinair 1]

Hi,

I'm trying out Port Forwarding at the moment and so far it works great - with one hitch:

I have a server that distinguishes between connecting through LAN or WAN - I only have to use a login when I'm connecting from WAN. I have forwarded the corresponding port and when I connect from another site, I don't have to login because the server sees the vpn-router as origin address instead of the real (WAN) ip address.

 

I used Port Forwarding in the past with my WAN-router and it always preserved the origin ip address.

 

Have I made a mistake configuring the vpn server or is there a setting I can use to remedy this?

Thank You.

[dagadog 5]

It will be an artefact of your router configuration rather than a feature of the VPN. It sounds like your router is doing source NAT on any connections received on the tunnel interface, but it doesn't have to.

 

Can you tell us more about the VPN router? Is it also your broadband router, or is it sitting between your LAN and the Internet router?

[paladinair 1]

Thanks for the reply. I use a raspberry pi (raspbian) and I got the configuration for the iptables off the inernet:

 

iptables –I FORWARD –i tun0 –p tcp –d <192.168.1.xx> --dport xxxx –j ACCEPT
iptables –t nat –I PREROUTING –i tun0 –p tcp –-dport xxxx –j DNAT

Of course I have the corresponding numbers instead of xx and xxxx.

 

From the same source I got the configuration to block connections without an active vpn, but this doesn't really work, too:

 

iptables -A FORWARD  -s 192.168.1.0/24 -i eth0:0 -o eth0 -m conntrack --ctstate NEW -j REJECT
iptables -A FORWARD -s 192.168.1.0/24 -i eth0:0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

 

 

I'm not really a linux expert just gathering together what I need off the internet.

 

If You could give me some hint how to configure it correctly, it would be really great.

 

Thank You.
 

[dagadog 5]

I too am not an expert.  So, if I get this right, your pi has a single ethernet interface which it uses to initiate a VPN and to communicate with devices on the local LAN. Am I right?

 

Are you missing part of the PREROUTING rule after DNAT? --to-destination <server-ip>. 

 

Server, Pi and router should all have the same netmask, and be within the same network. I can't see anything in the iptables rules that would cause the Pi to Masquerade packets leaving it's interface. Is it possible that they are communicating via the LAN interface of the broadband router instead of directly?

[paladinair 1]

Thanks for the help! You gave me the tip I needed - it works now! I copied the iptables rules off a documentation I made for the future and not the live system. There I had another MASQUERADE rule. I removed this rule and now it works.

 

Thanks again - and at least now I know what these masquerade entries do.

[paladinair 1]

i completely forgot to answer Your questions (maybe they help the next person with similar problems):

 

Yes, I use a single eth interface on the pi, so I created a virtual interface eth0:0 with the address 192.168.1.254. This is the gateway for my server so that part was working correctly.